The second Tuesday of the month is here, and that means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.
Adobe Patches for October 2021
For October, Adobe released six patches covering 10 CVEs in Adobe Reader, Acrobat Reader for Android, Adobe Campaign Standard, Commerce, Ops-CLI, and Adobe Connect. The update for
Adobe Acrobat fixes four bugs in total – two rated Critical and two rated Moderate in severity. Two of these bugs were submitted through the ZDI program. The Critical-rated bugs could allow remote code execution while the Moderate-rated bugs could allow a privilege escalation. The update for
Reader for Android fixes a single path traversal bug that could lead to code execution. All require some form of user interaction, such as browsing to a web page or opening a PDF.
Several cross-site scripting (XSS) bugs receive patches this month. The patch for
Campaign Standard fixes a DOM-based XSS. The fix for
Adobe Commerce addresses a stored XSS. The patch for
Adobe Connect fixes two bugs, one of which is a reflective XSS. The other bug is more a more severe Critical-rated deserialization vulnerability that could allow remote code execution. The final Adobe patch for October fixes a Critical-rated deserialization bug in
Ops-CLI, which is a python wrapper for Terraform, Ansible, and SSH for cloud automation.
None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.
Microsoft Patches for October 2021
For October, Microsoft released patches today for 71 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, .NET Core and Visual Studio, Microsoft Office Services and Web Apps, SharePoint Server, Microsoft Dynamics, InTune, and System Center Operations Manager. This is in addition to the eight CVEs patched by Microsoft Edge (Chromium-based) earlier this month and three previously released OpenSSL patches, which brings the October total to 82 CVEs – slightly down from last month. A total of 11 of these bugs were submitted through the ZDI program.
Of the 71 CVEs patched today, two are rated Critical, 68 are rated Important, and one is rated Low in severity. Three of today’s patches are listed as publicly known, while one is listed as being under active attack at the time of release. This is in addition to two of the Chromium bugs that were listed as under active attack when Chrome patched on September 30. For those wondering, this month does include patches for the recently released Windows 11 operating system.